So much Tech and so little time

office 365

We recently started implementing Multiple Factor Authentication with office 365 and today I ran into a weird issue while working from home.

Laptop – Windows 10 1703

Outlook 2016 – 16.0.7726.1049

While opening Outlook 2016 I was prompted for my 365 credentials (over and over again) without any MFA prompt.

Would not not go away and would not connect.

So I checked

OWA – https://outlook.office365.com/owa – worked no problem and was prompted with MFA.

Teams – local install, worked no bother with MFA.

So I went to Azure Active Directory and could see loads of failed attempts:

Specifically: User did not pass MFA challenge (non Interactive)

So my guess was Outlook wasnt prompting me for MFA for what ever reason. I tried a new Outlook profile which wouldnt connect and the following registry entried to try and force basic connections from Outlook:

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL

dword value 0

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALatopWAMOverride

dword value 1

None of this worked so I went all out and did the following which fixed the issue:

Sign out of Office 365

Open Word

In the upper-right corner of the Office 2016 app, click your name, and then click Switch Account.

On the Accounts screen, click Sign out.

Locate the account that you want to remove, and then click Sign out.

Remove the cached credentials in Credentials Manager.

To do this, follow these steps: Open Control Panel, and then click Credentials Manager.

Under Windows Credentials, remove all the accounts under Generic Credentials

Clear cached credentials on the computer from the registry.

Click Start, click Run, type regedit, and then click OK.

In Registry Editor, locate and backup then delete the following registry subkey:

So there’s an issue, basically we didn’t add the server to our wild card cert. So added the server names as Subject alternative names and imported it using PowerShell onto both Client access servers and then rebooted:

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord"Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-GB/library/System.ServiceModel.Diagnostics.EventLog.aspx</TraceIdentifier><Description>Wrote to the EventLog.</Description><AppDomain>/LM/W3SVC/1/ROOT/EWS-1-131788827699531225</AppDomain><ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/DictionaryTraceRecord"><CategoryID.Name>WebHost</CategoryID.Name><CategoryID.Value>5</CategoryID.Value><InstanceID.Name>WebHostFailedToProcessRequest</InstanceID.Name><InstanceID.Value>3221356547</InstanceID.Value><Value0>System.ServiceModel.ServiceHostingEnvironment+HostingManager/39086322</Value0><Value1>System.ServiceModel.ServiceActivationException: The service '/EWS/Exchange.asmx' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection.

So the long and short of it is they think IIS is broken. The traffic is being passed to the Group2 services but these services are not passing the information back up the stream.

MS decided they wanted swap out the EWS web.config with a new one from:

Before I get started this is not referring to standard Distribution Groups, this email refers to the groups that can be created in the newer version of Office 365 that allow a “Lync-esque” conversation feature but with added functionality, such as reviewing previous messages when added at a later date.

In most environments this would be a great feature, workplace and alike, however in environments like schools it can lead to some administrative troubles as there is no, current, way to administrate the groups once created as they are hidden to the admin unless viewed within the mailbox/OWA of the user doing the creating.

In this particular case these groups needed to be, A: removed manually, and B: disabled from future creation.

Subscribe to my posts

Dont like Adverts

I know the adverts are annoying but I only use them to pay for hosting. If you find any of my posts useful then I’d really appreciate it if you could disable your ad-blocker and click a advert of two.
Or if not then you could buy me a coffee?
Thanks